COMMENT: A Vague Law in a Smartphone World: Limiting the Scope of Unauthorized Access under the Computer Fraud and Abuse Act

By Andrew Hernacki | 61 Am. U. L. Rev. 1543 (2012)

The Computer Fraud and Abuse Act (CFAA) broadly criminalizes unauthorized access to computers and digital information, but how far should these federal prohibitions reach into the mobile data space? As smartphones and mobile applications continually redefine the digital landscape, attempts to apply the decades-old anti-hacking statute in this new territory have created potentially disturbing precedent.

Courts and critics have struggled to interpret the arguably vague and ambiguous provisions of the CFAA and have turned to contract law, agency law, and computer science for guidance. This Comment contends that the contract- and agency-based interpretations implicate constitutional vagueness concerns, and the code-based approach does not sufficiently address “insider” misuse of information. In the context of mobile application data privacy, the shortcomings of current interpretations necessitate a narrower view of unauthorized access. By limiting liability to only traditional notions of hacking and serious misuse of information, the CFAA can better serve its original and primary purpose: punishing criminal computer hackers and those who abuse legitimate access rights.